RE: bad zone not loaded
Many thanks for your help. I will focus now on my provisionning system. > Date: Wed, 4 Feb 2015 08:42:40 -0500 > From: a...@clegg.com > To: bind-users@lists.isc.org > Subject: Re: bad zone not loaded > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2/3/15 8:43 AM, hugo hugoo wrote: > > > Sometime my provisionning system provision a bad record ina zone. > > Example A record with 1.2.3.4.5 value (just an example). > > The point of a provisioning system is to keep this type of problem > from happening. The correct answer? FIX YOUR PROVISIONING SYSTEM. > > AlanC > -BEGIN PGP SIGNATURE- > Comment: GPGTools - https://gpgtools.org > > iQEcBAEBCgAGBQJU0iHQAAoJEOW2o5eiJADb3+0H/0bQoL6DGHqL7K6pdiwFnjOt > 33pMu/FsR8iM1NZ+dH7diGrR6Ds5RK0BK8rZJl+xEgQ2t990yN6BrTxQ/IMv8xZt > KEHFLf3ug4HK5IsLRN+rS2IdGxih4YH/CAtFgwgHNQcbZhcLodLTG9PNGqRWCn4S > N8jL3dY8v05PUehZt0UQPTxD8ozjK9XxmCX5IBJHKY6hfbQNl64gwK8XjykCStJo > EwMUI8V9DVE76ycgj5k8ucqPUMNU34xylI3mFHBa7lNIB/N0MkUmJcL3pIzdL1fN > QkHP4wN/d4/crw1sZQeyBwEzHQWM4ytEAGxBN4gOfa/stjS6E3FKxuggazEn1Pc= > =5BpS > -END PGP SIGNATURE- > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bad zone not loaded
Hello, Can anybody help me? I am using bind 9.8.2 Sometime my provisionning system provision a bad record ina zone. Example A record with 1.2.3.4.5 value (just an example). My provisioning system do not detect all bad situations and therefore I can have a zone with only a bad record. This zone is not updated with a reload (this is OK)...but the whole zone is no more loaded after a stop/start. Is it possible to tell BIND to reload all correct records and just discard the bad record from the zone? I can only give the parameter "DISABLE_ZONE_CHECKING" = yes in order that BIND starts. Thanks in advance for your feedback, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dig and IPV6 server
Dear all, I try to used dig on my windows PC using a server in IPV6. (local loppback from the BBOX I use) It do not work. Any help possible? C:\dig>nslookup www.google.be Server: UnKnown Address: fe80::a6b1:e9ff:fe68:c8==> server I will use with DIG. Non-authoritative answer: Name:www.google.be Addresses: 2a00:1450:400c:c03::5e 74.125.132.94 C:\dig>dig @fe80::a6b1:e9ff:fe68:c8 www.google.be dig: couldn't get address for 'fe80::a6b1:e9ff:fe68:c8': address family not supported C:\dig>dig @fe80::a6b1:e9ff:fe68:0:0:0:c8 www.google.be dig: couldn't get address for 'fe80::a6b1:e9ff:fe68:0:0:0:c8': not found It do now work... C:\dig>dig -v DiG 9.3.2 Thanks in advance for any feedback, Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: any requests
Hello, Thanks for your answer. I see ANY queries from my clients (we do not use open resolvers) I do not see why these kind of queries are present. Moreover, the cache servers only anbswer with its cache content. Is this normal or must the cache query the authoritztive server to fetch all the records? Hugo, > Date: Sun, 2 Jun 2013 22:13:33 + > From: v...@rhyolite.com > To: bind-users@lists.isc.org > Subject: Re: any requests > > > From: Matus UHLAR - fantomas > > > On 02.06.13 20:28, hugo hugoo wrote: > > > >I plan to block these kind of requests on the dns cache servers in order to > > > avoid any amplification attack. > > > hard to say, but as I stated before: don't do that. > > Instead, use RRL to mitigate many kinds of amplification attacks instead > of only those using ANY. See http://www.redbarn.org/dns/ratelimits > > Blocking DNS ANY requests is to DNS amplification DoS mitigation as > blocking SMTP envelope Mail_From values of <> is to spam filtering. > In early spam days, people who either knew far less than they pretended > or had special agendas prescribed blocking the <> sender as almost the > FUSSP, and never mind RFCs that require accepting mail from <>, the > value of mail from <>, and the vast floods of spam that don't and > never did involve the <> sender. > > Blocking DNS ANY or SMTP <> fit the old saying by H. L. Mencken: > For every complex problem there is an answer that is clear, > simple, and wrong. > > > Vernon Schryverv...@rhyolite.com > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
any requests
All, Can anyone explain me the purpose of ANY requests sent to cache dns servers? I plan to block these kind of requests on the dns cache servers in order to avoid any amplification attack. But I was wondering if complaints can come if I do such limitation. Thanks in advance for your help. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
signature expiration
Hello, Can anyone tell me why signatures in dnssec mut be renewed every 30 days?What are the modifications made on a zone with a resign? Thanks in advance for the clarifications. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
spf ent txt records.
Dear all, I received the following question and I am not able to aswer as spf records are still mysterious to me. We are using BIND 9.7. Thanks in advance for your answers, Hugo, Does our DNS-server support SPF-type records? Or do we put SPF-info in a TXT-record? Ref. : Early implementations used TXT records for implementation before the new record type was commonly available in DNS software. Use of TXT records for SPF was intended as a transitional mechanism. However, according to the current RFC, RFC 4408, section 3.1.1, "An SPF-compliant domain name SHOULD have SPF records of both RR types. A compliant domain name MUST have a record of at least one type," and as such, TXT record use is not deprecated.[2] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Wild card for IPV6 reverse configuration
Dear all, I have tried to configure a zone containing a range of IPV6 PTR records. My target was to see how it is possible to configure such a zone to always return the same answer for all the IPV6 IP’s in the range. And if possible to return specifi names for specific IP’s. Example of a IPV6 range: 1234:5678:90ab:00cd::/56 Creation of the zone è “0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa.” In the zone, I have put the following PTR record: *.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. 3600 IN PTR 123.lebrol.be. It seems (according to some of my tests) that for all IP’s in the range, the reverse is “123.lebrol.be.” Question è is this a correct way to configure reverse IPV6 if we accept the same name for all the IP’s in the range? Zone modification: I have tried to add in the zone file the possibility to answer a specific name to a specific IP in the range and keep answering the general name to all the other IP’s in the range. *.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. 3600 IN PTR 123.lebrol.be. 1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.1.2.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. 3600IN PTR nombre.de.cerise.be.è specific IP It works when the specific IP is used: lennydnstest01:~# dig @localhost -x 1234:5678:90ab:0021:0fed:cba9:8765:4321 ;; QUESTION SECTION: ;1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.1.2.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. IN PTR ;; ANSWER SECTION: 1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.1.2.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. 3600 IN PTR nombre.de.cerise.be. But if another IP in the range is used having the following nibbles mapping the specific PTR (here 1.2 ), it do not work and nothing is found! lennydnstest01:~# dig @localhost -x 1234:5678:90ab:0021:: ;; QUESTION SECTION: ;0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. IN PTR ;; AUTHORITY SECTION: 0.0.b.a.0.9.8.7.6.5.4.3.2.1.ip6.arpa. 3600 IN SOA ns1.uat.skynet.be. dnsmaster.skynet.be. 5 10800 3600 360 3600 Can someone give an explanation on the use of the wildcard *.Any other way to obtain the desired result? Thanks in advance for your feedback, Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TTL for name servers
Dear all, Can anyone clarify to me the use of the TTL for a NS record? Let’s take the example of a *.be domain. A TTL value is present on both locations. 1) In a dns.be server (for example x.dns.be): in my example here below, value is 86400 2) In the name server itself: in my example here below, value is 345600 If we plan to change the name server to be used for a certain domain, do we have to change the TTL in the dns.be? Is this possible? Is this value that all the cache servers use? If yes…what about the TTL value of the name server itself? Thank in advance of any useful feedback, Hugo, Example: dig @localhost google.be NS +trace ; <<>> DiG 9.6-ESV-R4 <<>> @localhost google.be NS +trace ; (1 server found) ;; global options: +cmd . 502894 IN NS f.root-servers.net. . 502894 IN NS g.root-servers.net. . 502894 IN NS h.root-servers.net. . 502894 IN NS a.root-servers.net. . 502894 IN NS i.root-servers.net. . 502894 IN NS b.root-servers.net. . 502894 IN NS j.root-servers.net. . 502894 IN NS c.root-servers.net. . 502894 IN NS k.root-servers.net. . 502894 IN NS l.root-servers.net. . 502894 IN NS d.root-servers.net. . 502894 IN NS m.root-servers.net. . 502894 IN NS e.root-servers.net. ;; Received 436 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms be. 172800 IN NS m.ns.dns.be. be. 172800 IN NS x.dns.be. be. 172800 IN NS london.ns.dns.be. be. 172800 IN NS prague.ns.dns.be. be. 172800 IN NS brussels.ns.dns.be. be. 172800 IN NS amsterdam.ns.dns.be. ;; Received 307 bytes from 198.41.0.4#53(a.root-servers.net) in 27 ms google.be. 86400 IN NS ns2.google.com. google.be. 86400 IN NS ns1.google.com. google.be. 86400 IN NS ns4.google.com. google.be. 86400 IN NS ns3.google.com. ;; Received 109 bytes from 193.190.135.4#53(brussels.ns.dns.be) in 1 ms google.be. 345600 IN NS ns4.google.com. google.be. 345600 IN NS ns1.google.com. google.be. 345600 IN NS ns3.google.com. google.be. 345600 IN NS ns2.google.com. ;; Received 173 bytes from 216.239.36.10#53(ns3.google.com) in 18 ms ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
records via GENERATE
Dear all, Is there a difference between the configuration of a set of A records using: 1) GENERATE command like: $GENERATE 0-255 $-1.2.3 A3.2.1.$ 2) Defining all the records one by one. - difference in the amount of memory used? - difference in the speed to retrive the answer. If GENERATE command is used ==> is the answer "calculated" at the query incoming or are all the records already present in memory? Thanks in advance for your feedback, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[no subject]
Dear all, I have the following situation in my zone migration for one server (A) to another server (B) The zone is called toto.be and contains the following record: www.toto.be 86400 IN CNAME www.titi.be ==> the zone titi.be is in the same server (A) but is not transferred to the server (B). If I do a dig @SERVER(A) www.toto.be ==> I receive the IP corresponding to www.titi.be If I do a dig @SERVER(B) www.toto.be ==> I do not receive the IP corresponding to www.titi.be - Is this situation due to the fact that dig always and only contacts the server mentionned in the command ? - Does the titi.be and toto.be be on the same server to correctly use CNAMES? Thanks for your feedback, hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE:
Doug, The problem is that the parent zone and the subzone are on the same name server. If I do a dig @name_server subzone NS or dig @name_server zone NS ... I receive the same NS answer. > From: do...@dougbarton.us > To: hugo...@hotmail.com > CC: cat...@isc.org; bind-users@lists.isc.org > Subject: Re: > > On 3/19/2012 10:08 AM, hugo hugoo wrote: > > Hello, > > > > I have correctly understood the need to have the NS of a subdomain in > > the parent domain to avoid any malfunction with a future migratio to DNSSEC. > > > > But can anybody give me a clear method to detect such missconfiguration? > > Is this possible with dig or is it ony possible with the access to the > > bind text files? > > When you query the parent name servers for those records, what happens? > > > Doug > > > -- > If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: zone transfer with DIG: SOA duplicate
Hello, thanks for this quick answer. I am a liitle bit lost... What is the starting and ending SOA record? In the original zone, there is ony one SOA record... Hugo, > Date: Mon, 19 Mar 2012 10:41:22 -0700 > From: mich...@rancid.berkeley.edu > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: Re: zone transfer with DIG: SOA duplicate > > On 03/19/12 10:33, hugo hugoo wrote: > > Dear all, > > > > I have this strange behaviour when I do a zone transfer with the > > following commande: > > > > dig @name_server zone_name AXFR > > > > > > ==> I received 2 SOA records (duplicates). > > > > One SOA record is at the end of the received information. > > > > > > Is this normal? > > Yes. > > In recent versions of dig, you can use the following option, as > documented in the man page: > > +[no]onesoa > Print only one (starting) SOA record when performing an > AXFR. The > default is to print both the starting and ending SOA records. > > > michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
zone transfer with DIG: SOA duplicate
Dear all, I have this strange behaviour when I do a zone transfer with the following commande: dig @name_server zone_name AXFR ==> I received 2 SOA records (duplicates). One SOA record is at the end of the received information. Is this normal? Thanks for any feedback, Hugo, PS I used a DIG from a BIND 9.7 on redhat. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
Jay, - Can you give me an example of such configuration? As anyone else some examples of IPV6 reverse configuration used in production environment? Thanks for sharing your experience... Hugo, > Date: Mon, 12 Mar 2012 16:28:53 -0500 > From: jay-f...@uiowa.edu > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > > On Mon, 12 Mar 2012, hugo hugoo wrote: > > Has anyone else experience with reverse IPV6 configuration with Bind? > > We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa > zones, to create address->name mappings matching the name->address mappings > created by the & A records. > > I fairly recently started fiddling with wildcard PTR records for DHCPv6 > address pools, to at least return some answer for a query about the > addresses. Right now I have it configured so that a query for any address in > any of the pools returns the same name, but it could be changed to return > different names for different pools. This obviously doesn't create symmetric > name->address & address->name mapping, which might or might not be a problem. > I don't have enough real use of this to know whether this wildcard stuff is > helpful or not. > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE:
Hello, I have correctly understood the need to have the NS of a subdomain in the parent domain to avoid any malfunction with a future migratio to DNSSEC. But can anybody give me a clear method to detect such missconfiguration? Is this possible with dig or is it ony possible with the access to the bind text files? Regards, Hugo, > Date: Wed, 14 Mar 2012 09:36:26 + > From: cat...@isc.org > To: bind-users@lists.isc.org > Subject: Re: > > On 13/03/12 20:46, Mark Andrews wrote: > > > > In message , Daniel McDonald > > writ > > es: > >> > >> On 3/13/12 8:20 AM, "hugo hugoo" wrote: > >> > >>> ==> do I have to create in zone "toto.be" the following NS record: > >>> > >>> titi.toto.be. TTL IN NS ns1.xxx.be > >>> > >>> > >>> I have found cases where this situation is present and other when it is > >>> not > >>> present...and both cases seems to work. > >>> What is the difference? > >> > >> The glue records aren't necessary when both the zone and subzone are on the > >> same server, although it is good to have them for completeness. When the > >> zones are on different servers you need the glue records. > > > > No, they *are* necessary. Just because their lack does not cause > > a resolution failure in all cases it doesn't mean they are not > > necessary. > > > > If the parent zone is signed but the child zone is unsigned then > > the lack of NS records *will* cause validation failures unless > > OPTOUT is in use even when both zones are only served by a common > > set of servers. > > > > DNSSEC catches out lots of bad practices that mostly pass unnoticed > > with plain DNS. > > > > Mark > > I would recommend doing it properly including adding glue records (glue > is the A records associated with the NS records for the delegated child > zone - but only if those NS records point to names actually in the > delegated zone). > > If you don't do it properly, and then in say 12 months time, someone > else starts slaving the parent zone to another server that doesn't also > slave the child zone, things are going to break... > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: NS record for subzone definition
Thanks for this interesting feedback. Now I have the problem to detect this kind of bad configuration. If I have: Zone toto.be: toto.be. NS ns1.xxx.be + some records Zone titi.toto.be: titi.toto.be. NS ns1.xxx.be + some records. What will be the command to detect that zone toto.be has no NS for titi.toto.be ?? Regards, Hugo, > Date: Tue, 13 Mar 2012 15:03:38 + > From: c...@cam.ac.uk > To: hugo...@hotmail.com > CC: ben.crosw...@gmail.com; bind-users@lists.isc.org > Subject: Re: NS record for subzone definition > > On Mar 13 2012, hugo hugoo wrote: > > >Thanks for this clear feedback. > > > >I understand the problem if the subdomain is not on the same name servers > >as the domain. The NS record is needed to could find the subdomain on the > >other name server. > > > >You said that the NS is not mandatory (it will work fine in the short term) > >in case of the same name server for the domai nand the subdomain. But how > >does it work then if no NS is found? > > When asked about "tutu.titi.toto.be", the "be" nameservers give a referral > to the nameservers for "toto.be". When *they* are asked, if they are already > authoritative for the zone "titi.toto.be", they can answer the question > without giving another referral. > > But as has been pointed out, such a configuration is horribly fragile. The > set of nameservers (official *and* unofficial) for the zones have to be > the same, and it won't work anyway if the zones are signed, and so on. > > One question to ask is: if the set of nameservers for "toto.be" and > "titi.toto.be" are now and for evermore going to be the same, why would > you want to make them separate zones at all? A single zone can have > domain names nested as deep as you like[*] without you needing to make > a zone cut. > > [*] subject to the overall limit of 253 characters on the fully > qualified name > > -- > Chris Thompson > Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE:
Thanks for this clear feedback. I understand the problem if the subdomain is not on the same name servers as the domain. The NS record is needed to could find the subdomain on the other name server. You said that the NS is not mandatory (it will work fine in the short term) in case of the same name server for the domai nand the subdomain. But how does it work then if no NS is found? regards, Hugo, Date: Tue, 13 Mar 2012 10:02:32 -0400 Subject: RE: From: ben.crosw...@gmail.com To: hugo...@hotmail.com CC: bind-users@lists.isc.org; dan.mcdon...@austinenergy.com If you do not delegate the subdomains with NS records you are not fully delegating the subdomain. It will work fine in the short term, but are setting up a landmine for someone to step on later. If decide to move that subdomain to other dns servers later it will disappear without the NS records. The best practice is to always put the NS records and not leave it to chance. On Mar 13, 2012 9:43 AM, "hugo hugoo" wrote: Thanks for the feedback. Is this a glue record? I do not have any IP defined in the NS record. What is the flow of a request to a subzone? Is the content of the zone checked before checking the subzone? > Date: Tue, 13 Mar 2012 08:26:02 -0500 > Subject: Re: > From: dan.mcdon...@austinenergy.com > To: hugo...@hotmail.com; bind-users@lists.isc.org > > > > > On 3/13/12 8:20 AM, "hugo hugoo" wrote: > > > ==> do I have to create in zone "toto.be" the following NS record: > > > > titi.toto.be. TTL IN NS ns1.xxx.be > > > > > > I have found cases where this situation is present and other when it is not > > present...and both cases seems to work. > > What is the difference? > > The glue records aren't necessary when both the zone and subzone are on the > same server, although it is good to have them for completeness. When the > zones are on different servers you need the glue records. > > > > -- > Daniel J McDonald, CCIE # 2495, CISSP # 78281 > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE:
Thanks for the feedback. Is this a glue record? I do not have any IP defined in the NS record. What is the flow of a request to a subzone? Is the content of the zone checked before checking the subzone? > Date: Tue, 13 Mar 2012 08:26:02 -0500 > Subject: Re: > From: dan.mcdon...@austinenergy.com > To: hugo...@hotmail.com; bind-users@lists.isc.org > > > > > On 3/13/12 8:20 AM, "hugo hugoo" wrote: > > > ==> do I have to create in zone "toto.be" the following NS record: > > > > titi.toto.be. TTL IN NS ns1.xxx.be > > > > > > I have found cases where this situation is present and other when it is not > > present...and both cases seems to work. > > What is the difference? > > The glue records aren't necessary when both the zone and subzone are on the > same server, although it is good to have them for completeness. When the > zones are on different servers you need the glue records. > > > > -- > Daniel J McDonald, CCIE # 2495, CISSP # 78281 > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
with subject: NS record for subzone definition
Dear all, I have a problem in the understanding of the creation of a subzone. Here the situation; let's call the name server ns1.xxx.be I have zone "toto.be" with some records (not important) In the same name server, I want to create the subzone "titi.toto.be" with some records. ==> do I have to create in zone "toto.be" the following NS record: titi.toto.be. TTL IN NSns1.xxx.be I have found cases where this situation is present and other when it is not present...and both cases seems to work. What is the difference? thanks for any feedback, Hugo,. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[no subject]
Dear all, I have a problem in the understanding of the creation of a subzone. Here the situation; let's call the name server ns1.xxx.be I have zone "toto.be" with some records (not important) In the same name server, I want to create the subzone "titi.toto.be" with some records. ==> do I have to create in zone "toto.be" the following NS record: titi.toto.be. TTL IN NSns1.xxx.be I have found cases where this situation is present and other when it is not present...and both cases seems to work. What is the difference? thanks for any feedback, Hugo,.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
HEllo, Has anyone else experience with reverse IPV6 configuration with Bind? Regards, Hugo, > From: spa...@countryday.net > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > Date: Tue, 6 Mar 2012 03:09:42 + > > > But if only some IP have e reverse..what about the other server who have > > received an IP in the range? Ip that can be changed every x hours. > > IF no reverse, it can be blacklisted for some reasons or having some > > problems with services asking a reverse dns resolution. > > In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses > never change. If you are going to register PTR records for clients with > changeable IPv6 addresses, then you need a dynamic update mechanism. Mark > Andrews made a recommendation earlier in this regard. I don't think there is > any reason to have PTR records that have no corresponding records in the > forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
log for one domain
Dear all, Is it possible to logs queries to a specific domain? I have a domain configured in my system but I do not know if it used and by who? I want to avoid a lot of logs, so the reason of my question: only have a query log for a specific domain. Thanks in advance for any help. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
thanks for your comment. But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. > From: spa...@countryday.net > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > Date: Mon, 5 Mar 2012 21:15:53 + > > > Can anyone help me with its experience on reverse dns for IPV6? > > Presently, when we reverse an IPV4 subnet for clients, we configure all the > > reverse for the whole subnet. > > It is a lot of PTR's but perfectly manageable. > > With IPV6, the number of IP's that we will receive is amazing > > So...it seems impossible for every single IPV6 inthe range to configure a > > PTR. > > So...what to do? > > What is the common practice? > > What is possible with BIND? > > For our IPv6 address space 2001:4870:20ca::/48, I created a reverse lookup > zone a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa and arranged for delegation from our > ISP. I included PTR records only for those hosts accessible from the > outside. Internal DNS is Windows Active Directory integrated. Here's a sample > from the zone file, which contains about 25 PTR records in all: > > $ORIGIN . > $TTL 3600 ; 1 hour > a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa IN SOA ns1.countryday.net. > hostmaster.countryday.net. ( > 2012030101 ; serial > 86400 ; refresh (1 day) > 3600 ; retry (1 hour) > 1209600; expire (2 weeks) > 3600 ; minimum (1 hour) > ) > NS ns1.countryday.net. > NS ns2.countryday.net. > $ORIGIN 9.0.0.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. > a.5.6.9.f.9.e.4.3.4.3.e.f.a.0.8 PTR ns2.countryday.net. > $ORIGIN 8.5.1.0.a.c.0.2.0.7.8.4.1.0.0.2.ip6.arpa. > 2.9.1.f.1.d.2.1.b.f.7.5.7.f.8.0 PTR ns1.countryday.net. > > I would also be interested in hearing about the practices of others. Jeff. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reverse dns for IPV6 ranges
Dear all, Can anyone help me with its experience on reverse dns for IPV6? Presently, when we reverse an IPV4 subnet for clients, we configure all the reverse for the whole subnet. It is a lot of PTR's but perfectly manageable. With IPV6, the number of IP's that we will receive is amazing So...it seems impossible for every single IPV6 inthe range to configure a PTR. So...what to do? What is the common practice? What is possible with BIND? Thanks in advance for your answer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
information in slave zone file
Hello, I have recently done a migration bind8 to bind9. I have remarked that in my slave zones file, I did not have anymore some interesting information I had with bind8. These informations are comments on the last zone transfer. Can anybody tell me if it is possible in BINDP to have the same info? Thanks in advance, bind8 -- The 5 first lines have disappeared in bind9 dnszone001:/export/live/zones/slave# more symphony-solutions.eu ; BIND version named 8.4.7-REL-NOESW Mon Sep 25 00:30:06 UTC 2006 ; BIND version lamont@mix:/build/lamont/bind-8.4.7/src/bin/named ; zone 'symphony-solutions.eu' last serial 116233 ; from [194.44.122.66].53 (local [195.238.3.17].51242) using AXFR at Tue Nov 8 06:20:54 2011 ; NOT TSIG verified $ORIGIN eu. symphony-solutions 3600IN SOA dc-1.symphony-solutions.eu. hostmaster.symphony-solutions.eu. ( 116235 900 600 86400 3600 ) 600 IN A 192.168.0.42 600 IN A 192.168.0.32 3600IN A 178.20.153.9 600 IN A 172.22.32.32 600 IN A 192.168.0.31 3600IN NS ns2.skynet.be. 3600IN NS ns3.skynet.be. 0 IN NS alpha.freehost.com.ua. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
several master ip's for a slave zone
Hello, I have seen that for a slave zone, it is possible to configure several master IP's. Why this possibility? How does it works if several master zone can be used for the zone transfer? Thanks for any feedback, Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
answer to not existing record
Hello, I have seen a difference in the behaviour for a query to a non existing query (the domain is not manage by the name server) between bind8 and bind9. I just would like to know if it is normal or if it is a problem. Thanks in advance for your feedback Bind9: # dig @localhost http://www.rai.it ; <<>> DiG 9.7.3-P3-RedHat-9.7.3-2.el6_1.P3.2 <<>> @localhost http://www.rai.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28581 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.rai.it. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 3 15:09:54 2011 ;; MSG SIZE rcvd: 28 Bind8: # dig @localhost http://www.rai.it ; <<>> DiG 9.3.4 <<>> @localhost http://www.rai.it ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10386 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rai.it. IN A ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 3 15:13:15 2011 ;; MSG SIZE rcvd: 239 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind9 statistics
Hello, I have the following problem; In bind8, I can find statistics every hour in the log file (see here below). But in BIND9 I do not find the same statistics in the log file. Is it possible to have it? Oct 31 07:11:37 dnszone001 named[19854]: NSTATS 1320041497 1301566457 TYPE0=50862 A=1764510765 NS=24977921 CNAME=5164425 SOA=8419048 MG=1 MR=1000 NULL=1 WKS=43 PTR=121163683 HINFO=16119 MINFO=3 MX=497037649 TXT=46163614 RP=3 X25=7 ISDN=2 RT=1 SIG=1 KEY=9 PX=24 =450246677 LOC=117 NXT=1 SRV=14855440 NAPTR=42769 A6=14181975 SINK=1 TYPE43=32907 TYPE46=3100 TYPE47=2864 TYPE48=85413 TYPE51=676 TYPE55=8 TYPE69=1 TYPE72=1 TYPE99=14892632 TKEY=85936 IXFR=2583 AXFR=301179 MAILB=7 ANY=37471162 Thanks in advance for your help. Hugo, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind 9 performance
I do not change the zone files. I only remove some logging category nt compatible with bind9, that's all. I agree that I have to go to BIND9. My question was related to the fact that I am a little worry about a difference in performance when I will be in BIND9. So I wonder if I do not have to also upgrade the hardware. Is there anything I have to look at to check that all is OK in terms of performances when I will be in BIND9? Regards, Hugo, > Subject: Re: bind 9 performance > To: eiv...@aminor.no; > bind-users-bounces+abushlaibi=ies.etisalat...@lists.isc.org; > bind-users@lists.isc.org > From: abushla...@ies.etisalat.ae > Date: Wed, 15 Jun 2011 20:06:11 + > > What about zone configuration in BIND 8 and BIND 9? Is there any difference > between the two ? > > Thanks & Regards > > -Original Message- > From: Eivind Olsen > Sender: bind-users-bounces+abushlaibi=ies.etisalat...@lists.isc.org > Date: Wed, 15 Jun 2011 20:30:58 > To: > Subject: Re: bind 9 performance > > hugo hugoo wrote: > > > - Has anyone faced a performance problem due to an upgrade bind8/bind9? > > I didn't notice anything like that when I last upgraded from BIND8 (back > in 2001 or so). > > When that is said: what kind of hardware are you running it on? Single > CPU? Multiple cores? I've seen some fairly ancient performance comparisons > between BIND8 and BIND9 that claimed BIND8 performed best on a single-core > CPU only. And if I'm not mistaken, BIND9 had some less-than-optimal > threading back in those days, and performs much better now. > > Is pure performance important to you? Will you be likely to even notice? > Also, BIND8 has been deprecated for almost 4 years now. > > Regards > Eivind Olsen > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9 performance
Hello all, I plan to replace bind8 with bind9 on a same hardware (just software upgrade). - Has anyone faced a performance problem due to an upgrade bind8/bind9? - Is bind9 less performant or do I have to be confident on this aspect? Thanks in advance for any feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, Thanks for the feedback. I have indeed seen in the logs that the zone is expired on ns2 but my question was more general in order not to have to always try to see the logs (info not available if the zone has expired some weeks ago..). So..no way to check that a zone is expired? For info: no "servfail" answer on the query. C:\Data\dig>dig @ns2.skynet.be wwW.omega-pharma.be ; <<>> DiG 9.3.2 <<>> @ns2.skynet.be wwW.omega-pharma.be ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 392 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;wwW.omega-pharma.be. IN A ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. ;; Query time: 31 msec ;; SERVER: 195.238.3.18#53(195.238.3.18) ;; WHEN: Wed May 04 10:18:37 2011 ;; MSG SIZE rcvd: 248 From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:58:22 +0200 Hugo, “zones” don’t “expire”, like DNSSEC RRSIG with their “end of validity time stamp”. At worst, a slave name server is unable to verify the SOA record on the master for “expiry” time. At that point, the slave name server still “knows” it is authoritative, but has no data it could answer with à (at least Bind) will reply with a “SERVFAIL” (not the list of root name servers !) The second worst thing is that the serial number on the master is lower then what the slaves last “zone transferred”. As already commented in another reaction, check the logs of the slaves, they (should) signal this (Bind does). Hope this helps. Kind regards, Marc Lampo Security Officer EURid vzw/asbl ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: how to check if a slave zone is expired
Marc, This example was maybe not the best one. My questions remains as other zones are well unavailable on all name servers. Regards, Hugo, From: marc.la...@eurid.eu To: hugo...@hotmail.com; bind-users@lists.isc.org Subject: RE: how to check if a slave zone is expired Date: Wed, 4 May 2011 09:18:56 +0200 Hugo, This must be a configuration error on “ns2.skynet.be.” The other 3 authoritative name servers answer fine, for omega-pharma.be; ns2.skynet.be. returns the list of root name servers, meaning it isn’t configured to be slave for that domain. Contact Skynet/Belgacom helpdesk to get this corrected. Kind regards, Marc Lampo EURid vzw/asbl Security Officer From: hugo hugoo [mailto:hugo...@hotmail.com] Sent: 04 May 2011 08:53 AM To: bind-users@lists.isc.org Subject: how to check if a slave zone is expired Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to check if a slave zone is expired
Dear all, Is there a way to check that a slave zone is expired? I use dig in the following way to see that the zone is not responding on my server...but is this due to the fact that the zone is expired or another problem? dnszone002:/etc/bind/zones/slave# dig @localhost omega-pharma.be soa ; <<>> DiG 9.3.4 <<>> @localhost omega-pharma.be soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26868 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;omega-pharma.be. IN SOA ;; AUTHORITY SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. - How can I see that it is because the zone is expired? - Is there a way to visualise all the zones that are expired (to make a cleanup of the configuration) Thanks for your feedback, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
slave AXFR bind9
Dear all, I am really lost with the working of my slave zone. Here the situation/configuration. I use a server called "lenny" where the zone is idendified as slave. I use a server called custmaster where the zone is master. After a stop/start of the BIND9 in the Lenny server (slave zone), the slave zone is never synchronised with the master zone. In my test, the serial number in the master is greater than in the slave. lennydnstest01:~# dig @194.78.73.65 bind9testcarlos.be AXFR è what is on the master zone (dig use the IP address of the master) ; <<>> DiG 9.6-ESV-R3 <<>> @194.78.73.65 bind9testcarlos.be AXFR ; (1 server found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 ;; Query time: 5 msec ;; SERVER: 194.78.73.65#53(194.78.73.65) ;; WHEN: Wed Apr 20 14:03:20 2011 ;; XFR size: 8 records (messages 1, bytes 250) dnscustmaster901:/etc/bind/zones/master# cat bind9testcarlos.be ==> master zone file $TTL 3600;Positive Caching bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101725 ; Serial 600 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ); Negative Caching bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. cs1.sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.4 ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.30 lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR è what is on the slave zone ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.20 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 20 14:03:21 2011 ;; XFR size: 8 records (messages 1, bytes 250) ennydnstest01:~# cat /etc/bind/zones/slave/bind9testcarlos.be==> slave zone file $ORIGIN . $TTL 86400 ; 1 day bind9testcarlos.be IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101723 ; serial 600; refresh (10 minutes) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.uat. NS ns2.uat. $ORIGIN bind9testcarlos.be. $TTL 3600 ; 1 hour ns A 1.2.3.4 ns2 A 1.2.3.4 sgtest1 A 1.2.3.20 $ORIGIN sgtest1.bind9testcarlos.be. cs1 A 1.2.3.4 After a reload zonefile (not working with "rndc reload") ==> AXFR is done! lennydnstest01:~# rndc reload bind9testcarlos.be zone refresh queued lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 20 14:08:16 2011 ;; XFR size: 8 records (messages 1, bytes 250) Log in the the master: Apr 20 14:08:03 dnscust
RE: slave timers
In my example, the serial number is greater in the master than the serial number in the slave. So a zone transfer must be done but it is not done after a "rdnc reload" or a "start/stop". The zone transfer is directly done after a "rndc reload zonename" How can I go on investigating what happens? Is it possible to visualise the value of the refresh timer of a zone? Any other idea? Hugo, > Date: Tue, 19 Apr 2011 12:06:54 -0400 > From: dspa...@gmail.com > To: bind-users@lists.isc.org > Subject: Re: slave timers > > On 4/19/2011 11:42 AM, hugo hugoo wrote: > > Hello, > > > > I have in fact the following problem: > > > > The AXFR is not triggered by a “rndc reload”, neither a stop/start of > > bind9. > > > > ènothing is seen in the logs > > > > The AXFR is triggered by a “rndc reload zonename”. > > > > => logs of the master > > > > pr 19 17:32:03 dnscustmaster901 named[5672]: client 194.78.73.88#37854: > > transfer of 'bind9testcarlos.be/IN': AXFR-style IXFR started > > > > Apr 19 17:32:03 dnscustmaster901 named[5672]: client 194.78.73.88#37854: > > transfer of 'bind9testcarlos.be/IN': AXFR-style IXFR ended > > > > An AXFR will not be initiated by the slave if it determines that it is > not needed based on a query of the master's SOA serial number. > > -- > Dave > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: slave timers
Hello, I have in fact the following problem: The AXFR is not triggered by a “rndc reload”, neither a stop/start of bind9. è nothing is seen in the logs The AXFR is triggered by a “rndc reload zonename”. => logs of the master pr 19 17:32:03 dnscustmaster901 named[5672]: client 194.78.73.88#37854: transfer of 'bind9testcarlos.be/IN': AXFR-style IXFR started Apr 19 17:32:03 dnscustmaster901 named[5672]: client 194.78.73.88#37854: transfer of 'bind9testcarlos.be/IN': AXFR-style IXFR ended è logs in the slave pr 19 17:32:10 lennydnstest01 named[4614]: received control channel command 'reload bind9testcarlos.be' Apr 19 17:32:10 lennydnstest01 named[4614]: zone bind9testcarlos.be/IN: Transfer started. Apr 19 17:32:10 lennydnstest01 named[4614]: transfer of 'bind9testcarlos.be/IN' from 194.78.73.65#53: connected using 194.78.73.88#37854 Apr 19 17:32:10 lennydnstest01 named[4614]: zone bind9testcarlos.be/IN: transferred serial 1999101714 Apr 19 17:32:10 lennydnstest01 named[4614]: transfer of 'bind9testcarlos.be/IN' from 194.78.73.65#53: Transfer completed: 1 messages, 8 records, 250 bytes, 0.005 secs (5 bytes/sec) Is this behavior normal? Zone on the master $TTL 3600;Positive Caching bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101714 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ); Negative Caching bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. cs1.sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.4 ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.7 On the slave: (before the rndc reload zonename) dig @localhost bind9testcarlos.be AXFR ; <<>> DiG 9.6-ESV-R3 <<>> @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101713 10800 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.6 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101713 10800 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Apr 19 17:30:27 2011 ;; XFR size: 8 records (messages 1, bytes 250) Thanks in advance for your feedback, Hugo, ___ > Date: Mon, 18 Apr 2011 11:19:48 -0500 > From: jay-f...@uiowa.edu > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: Re: slave timers > > On Mon, 18 Apr 2011, hugo hugoo wrote: > > I am testing the migration bind8 to Bind9 and the working for slave zones. > > > > To do this, I have put the following values to the timers in the master > > zone. > > > > $ORIGIN com. > > toto 3600 IN SOA ns1.toto.com. postmaster.toto.com. ( > > > > 2011041404 302 3600 604800 3600 ) > > > It is really not working good! > > > > - Are there some constraint in the timer values? > > > > For my test I have a 302 seconds expired time can this work even if > > this timer is smaller than the other ones? > > The second parameter is the refresh timer, not the expire timer. > > 302 seconds is pretty short. Assuming your master->slave notifies are > working correctly an hour or 2 (3600 or 7200 seconds) should be fine for a > refresh timer value, but there are probably valid reasons to use shorter > values. > > > - When I do a 'rndc reload' on the slave name server, there is no AXFR > > request to the Master. > > > > - When I do a bind9 stop/start on the slave name server, there is no AXFR > > request to the master. > > > > - There is no AXFR request to the master every 302 seconds. > > The slave will check the SOA serial number it has against that of the master. > If the master's is newer, it will transfer the zone. If not, the slave has > current data so doesn't need to transfer it again. > > Are you incrementing the SOA serial number on the master? > > "rndc retransfer " on the slave will force a transfer, ignoring the SOA > serial number. See if that works. > > > Jay Ford, Network Engineering Group
slave timers
Dear all, I am testing the migration bind8 to Bind9 and the working for slave zones. To do this, I have put the following values to the timers in the master zone. $ORIGIN com. toto 3600IN SOA ns1.toto.com. postmaster.toto.com. ( 2011041404 302 3600 604800 3600 ) …. …. It is really not working good! - Are there some constraint in the timer values? For my test I have a 302 seconds expired time è can this work even if this timer is smaller than the other ones? - When I do a “rndc reload” on the slave name server, there is no AXFR request to the Master. - When I do a bind9 stop/start on the slave name server, there is no AXFR request to the master. - There is no AXFR request to the master every 302 seconds. Can anyone help me to understand? Thanks in advance, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: start script for bind9
I do not use the version provided bu Debian because I am migrating from bind8 to Bind9 and I wan to have both versions available on the same server. So, I want to have Bind9 totally separated from Bind8. I use Debian, version 5 and the last ESV bind9. - I have seen that in the debian distribution, bind9 is started via "named -u bind" ==> is it dangerous to run bind9 as root? - The following script is provided i nthe distribution to start/stop bind9. But I hesitate to copy it to use it with a source installation. lennydnstest01:~# cat /etc/init.d/bind9 #!/bin/sh ### BEGIN INIT INFO # Provides: bind9 # Required-Start:$remote_fs # Required-Stop: $remote_fs # Should-Start: $network $syslog # Should-Stop: $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start and stop bind9 # Description: bind9 is a Domain Name Server (DNS) #which translates ip addresses to and from internet names ### END INIT INFO PATH=/sbin:/bin:/usr/sbin:/usr/bin # for a chrooted server: "-u bind -t /var/lib/named" # Don't modify this line, change or create /etc/default/bind9. OPTIONS="" RESOLVCONF=no test -f /etc/default/bind9 && . /etc/default/bind9 test -x /usr/sbin/rndc || exit 0 . /lib/lsb/init-functions DISTRO=$(lsb_release -is 2>/dev/null || echo Debian) PIDFILE=/var/run/bind/run/named.pid check_network() { if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then IFCONFIG_OPTS="-au" else IFCONFIG_OPTS="" fi if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then #log_action_msg "No networks configured." return 1 fi return 0 } case "$1" in start) log_daemon_msg "Starting domain name service..." "bind9" modprobe capability >/dev/null 2>&1 || true # dirs under /var/run can go away on reboots. mkdir -p /var/run/bind/run chmod 775 /var/run/bind/run chown root:bind /var/run/bind/run >/dev/null 2>&1 || true if [ ! -x /usr/sbin/named ]; then log_action_msg "named binary missing - not starting" log_end_msg 1 exit 1 fi if ! check_network; then log_end_msg 1 exit 1 fi echo $OPTIONS; if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \ --pidfile ${PIDFILE} -- $OPTIONS; then if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named fi log_end_msg 0 else log_end_msg 1 fi ;; stop) log_daemon_msg "Stopping domain name service..." "bind9" if ! check_network; then log_end_msg 1 exit 1 fi if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then /sbin/resolvconf -d lo.named fi pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') if [ -n "$pid" ]; then while kill -0 $pid 2>/dev/null; do log_progress_msg "waiting for pid $pid to die" sleep 1 done fi log_end_msg $? ;; reload|force-reload) log_daemon_msg "Reloading domain name service..." "bind9" if ! check_network; then log_end_msg 1 exit 1 fi /usr/sbin/rndc reload >/dev/null log_end_msg $? ;; restart) if ! check_network; then exit 1 fi $0 stop $0 start ;; status) ret=0 status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/null || ret=$? ;; *) log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|restart|force-reload|status}" exit 1 ;; esac exit 0 > Date: Fri, 15 Apr 2011 16:24:09 +0200 > From: uh...@fantomas.sk > To: bind-users@lists.isc.org > Subject: Re: start script for bind9 > > On 14.04.11 14:23, hugo hugoo wrote: > > I have installed bind9 using the make install procedure. > > It works but I did not find any startup script to could put in my > > /etc/init.d/ directory. > > > > I know that if bind is installed via apt-get install (I am using debian > > linux version), there is automatically a bind9 startup script in > > /etc/init.d/ directory. > > Why don't you use the version provided with debian? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this
start script for bind9
Hello, I have installed bind9 using the make install procedure. It works but I did not find any startup script to could put in my /etc/init.d/ directory. I know that if bind is installed via apt-get install (I am using debian linux version), there is automatically a bind9 startup script in /etc/init.d/ directory. Can anyone help? Kind regards, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
notify send by Master zones
Dear all, I would appreciate if someone can explain me why a notify is present on my logs (bind9) for a master zone: zone fbtest07.be/IN: loaded serial==> zone loades after a reload fbtest07.be/IN: sending notifies (serial 8)==> notify sent (but what is the destination?) Thanks in advance for your feedback, Hugo, Zone file $TTL 3600;Positive Caching fbtest07.be. 3600IN SOA ns1.skynet.be. dnsmaster.skynet.be.( 8 ; Serial 10800 ; Refresh 3600 ; Retry 360; Expire 3600 ) ; Negative Caching fbtest07.be. 3600IN NS ns.uat. ftp.fbtest07.be. 3600IN A 3.3.3.7 ; ftp Includ file named.zones.inc (see named.conf) zone "fbtest07.be" { type master; file "/etc/bind/zones/master/fbtest07.be"; }; named.conf lennydnstest01:~# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local //include "/etc/bind/named.conf.options"; acl myself { 127/9; }; options { directory "/var/cache/bind"; listen-on { 127.0.0.1; 194.78.73.24; }; allow-transfer { myself; }; recursion no; //fetch-glue no; }; logging { channel my_debug { file "named.run"; severity dynamic; print-time yes; }; category default { default_syslog; my_debug; }; category config { default_syslog; my_debug; }; //category parser { default_syslog; my_debug; }; category queries { my_debug; }; category lame-servers { default_syslog; my_debug; }; //category statistics { default_syslog; my_debug; }; //category panic { default_syslog; my_debug; }; category update { default_syslog; my_debug; }; //category ncache { default_syslog; my_debug; }; category xfer-in { default_syslog; my_debug; }; category xfer-out { default_syslog; my_debug; }; //category db { default_syslog; my_debug; }; //category eventlib { my_debug; }; //category packet { my_debug; }; category notify { default_syslog; my_debug; }; //category cname { default_syslog; my_debug; }; category security { default_syslog; my_debug; }; //category os { default_syslog; my_debug; }; //category insist { default_syslog; my_debug; }; //category maintenance { default_syslog; my_debug; }; //category load { default_syslog; my_debug; }; //category response-checks { default_syslog; my_debug; }; }; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; add entries for other zones include "/etc/bind/conf/named.zones.inc"; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind and IPV6
Dear all, In the scope of the IPV6 deployment, I have been asked if oiyr DNS servers are IPV6 compliant. We are now upgrading all our servers to bind-9.6-ESV-R3. - Can anybody give some feedback on the IPV6 compliancy? IS bind-9.6-ESV-R3 totally compliant with IPV6? Thanks in advance to share your experience/knowledge. Regards, Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: migration bind8/bind9: config problems.
Thanks for the answers. About the following answer in case the provisionning gives zones duplicates: Run the configuration through named-checkconf if you are worried. It will catch the duplicates before you run named. Does exist a tool to automaticaly remove the duplicates in the configuration? > To: hugo...@hotmail.com > CC: bind-us...@isc.org > From: ma...@isc.org > Subject: Re: migration bind8/bind9: config problems. > Date: Wed, 16 Feb 2011 07:56:30 +1100 > > > Firstly please get your mail client fixed. Turning comma's to "=2C" > isn't needed and defeats the purpose of printed quotable which is > to do the minimum changes to make the message transmitable via 7bit > smtp so that the message is readable by old clients. Anything above > that minimum is a bug. > > In message , hugo hugoo writes: > > > > Dear all, > > > > I am testing an upgrade from bind8 to bind9. > > For this, I have installed bind9 in a server with the same configuration > > files as present in the server running bind8. > > When I start bind9, I have the following errors and the server do not sta > > rt. > > > > Can you anyone answer the questions presnet in the log here aboive to help > > me with my migration? > > > > Thanks in advance, > > > > Hugo, > > > > eb 15 13:13:10 dnsextcache001 named[17541]: starting BIND 9.6-ESV-R3 -c /et > > c/bind/named.conf > > Feb 15 13:13:10 dnsextcache001 named[17541]: built with '--prefix=/usr/lo > > cal/bind-9.6-ESV-R3' > > Feb 15 13:13:10 dnsextcache001 named[17541]: using up to 4096 sockets > > Feb 15 13:13:10 dnsextcache001 named[17541]: loading configuration from '/e > > tc/bind/named.conf' > > Feb 15 13:13:10 dnsextcache001 named[17541]: /etc/bind/named.conf:17: optio > > n 'fetch-glue' is obsolete > > > > ==> can I remove this from the configuration without any impact? > > Yes. It can be safely removed. > > > Feb 15 13:13:13 dnsextcache001 named[17541]: loading configuration: failure > > Feb 15 13:13:13 dnsextcache001 named[17541]: exiting (due to fatal error) > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :488832: zone 'thermote-vanhalst.com': already exists previous definition: > > /etc/bind/conf/named.zones.inc:93105 > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :489192: zone 'villedewavre.be': already exists previous definition: /etc/b > > ind/conf/named.zones.inc:104087 > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :489912: zone 'saval.be': already exists previous definition: /etc/bind/con > > f/named.zones.inc:186169 > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :490816: zone 'dataminercube.com': already exists previous definition: /etc > > /bind/conf/named.zones.inc:384171 > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :491735: zone 'cdmeerhout.be': already exists previous definition: /etc/bin > > d/conf/named.zones.inc:179099 > > Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc > > :491745: zone 'agroservices.be': already exists previous definition: /etc/b > > ind/conf/named.zones.inc:291937 > > Feb 15 13:13:13 dnsextcache001 named[17541]: loading configuration: failure > > Feb 15 13:13:13 dnsextcache001 named[17541]: exiting (due to fatal error) > > > > ==> I can remove the duplicates to allow bind9 to start (bind8 starts > > even if duplicates present). > > > >BUT!! > > > > I would like to have for this point the same behaviour as bind8 as it is po > > ssible that the provisioning in hte future introduces duplicates as it is t > > he case in my present setup. > > > > Is this possible? > > No. Run the configuration through named-checkconf if you are worried. It > will catch the duplicates before you run named. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
migration bind8/bind9: config problems.
Dear all, I am testing an upgrade from bind8 to bind9. For this, I have installed bind9 in a server with the same configuration files as present in the server running bind8. When I start bind9, I have the following errors and the server do not start. Can you anyone answer the questions presnet in the log here aboive to help me with my migration? Thanks in advance, Hugo, eb 15 13:13:10 dnsextcache001 named[17541]: starting BIND 9.6-ESV-R3 -c /etc/bind/named.conf Feb 15 13:13:10 dnsextcache001 named[17541]: built with '--prefix=/usr/local/bind-9.6-ESV-R3' Feb 15 13:13:10 dnsextcache001 named[17541]: using up to 4096 sockets Feb 15 13:13:10 dnsextcache001 named[17541]: loading configuration from '/etc/bind/named.conf' Feb 15 13:13:10 dnsextcache001 named[17541]: /etc/bind/named.conf:17: option 'fetch-glue' is obsolete ==> can I remove this from the configuration without any impact? Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:30: undefined category: 'parser' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:33: undefined category: 'statistics' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:34: undefined category: 'panic' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:36: undefined category: 'ncache' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:39: undefined category: 'db' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:40: undefined category: 'eventlib' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:41: undefined category: 'packet' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:43: undefined category: 'cname' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:45: undefined category: 'os' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:46: undefined category: 'insist' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:47: undefined category: 'maintenance' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:48: undefined category: 'load' Feb 15 13:13:11 dnsextcache001 named[17541]: /etc/bind/named.conf:49: undefined category: 'response-checks' ==> I have just removed these categories from the configuration file. Feb 15 13:13:13 dnsextcache001 named[17541]: loading configuration: failure Feb 15 13:13:13 dnsextcache001 named[17541]: exiting (due to fatal error) Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:488832: zone 'thermote-vanhalst.com': already exists previous definition: /etc/bind/conf/named.zones.inc:93105 Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:489192: zone 'villedewavre.be': already exists previous definition: /etc/bind/conf/named.zones.inc:104087 Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:489912: zone 'saval.be': already exists previous definition: /etc/bind/conf/named.zones.inc:186169 Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:490816: zone 'dataminercube.com': already exists previous definition: /etc/bind/conf/named.zones.inc:384171 Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:491735: zone 'cdmeerhout.be': already exists previous definition: /etc/bind/conf/named.zones.inc:179099 Feb 15 13:13:13 dnsextcache001 named[17541]: /etc/bind/conf/named.zones.inc:491745: zone 'agroservices.be': already exists previous definition: /etc/bind/conf/named.zones.inc:291937 Feb 15 13:13:13 dnsextcache001 named[17541]: loading configuration: failure Feb 15 13:13:13 dnsextcache001 named[17541]: exiting (due to fatal error) ==> I can remove the duplicates to allow bind9 to start (bind8 starts even if duplicates present). BUT!! I would like to have for this point the same behaviour as bind8 as it is possible that the provisioning in hte future introduces duplicates as it is the case in my present setup. Is this possible? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind8 and bind9 installed on the same server: possible?
Dear all, I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated. - is it possible to install bind9 without removing bind8 in order to could easily and quickly swith from bind8 to bind9 and vice versa? Thanks for your support. Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind9 and IPV6
For all users... Can anybody give me informations on the IPV6 compatibility of BIND9 compared to BIND8? It is not clear what is present in BIND9 and not in BIN8 regarding IPV6. I have created an IPV6 record in BIND8 and it works... Thanks in advance for any clear references or for any clear explnations. Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: one record to be redirected to a specific IP
What I want to do is redirect a site to a specific IP using DNS (this kind of request comes from the Justice). This specific IP can be an internal website with a warning message for example. So I need to could redirect www.abcd.com for example to a specific IP 1.2.3.4 for example. This redirection must not have any impact on other ur'ls like toto.www.abcd.com or "anything else".www.abcd.com I am also wondering if this is a problem to impact "anything else".www.abcd.com, if this kind of URL exists. Thanks in advance for your help in this DNS world new to me. > Date: Sun, 25 Apr 2010 13:36:33 -0700 > From: do...@dougbarton.us > To: hugo...@hotmail.com > CC: bind-us...@isc.org > Subject: Re: one record to be redirected to a specific IP > > On 04/25/10 13:19, hugo hugoo wrote: > > Yes I need more help on this item. > > Your answer seems to indicate thate there is no way to only redirect > > www.abcd.com to IP 1.2.3.4 > > That's essentially correct. > > > toto.www.abcd.com will either be redirected to the same IP (zone file > > with * A 1.2.3.4) > > It doesn't have to be the same IP, it could be a different one. You can > even specify some specific host names with certain IP addresses, with or > without a wild card for everything else. There are a lot of > possibilities, but until you tell us EXACTLY what it is you want to > accomplish, it's next to impossible to provide you useful help. > > > So can we redirect only www.abcd.com without any > > impact on toto.www.abcd.com? > > No. Once you create a zone www.abcd.com it will have an impact on > .www.abcd.com. > > > Doug > > -- > > ... and that's just a little bit of history repeating. > -- Propellerheads > > Improve the effectiveness of your Internet presence with > a domain name makeover! http://SupersetSolutions.com/ > _ Nouveau Windows 7 : Simplifiez votre quotidien http://windows.microsoft.com/fr-BE/windows7/products/home?os=win7___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: one record to be redirected to a specific IP
Yes I need more help on this item. Your answer seems to indicate thate there is no way to only redirect www.abcd.com to IP 1.2.3.4 toto.www.abcd.com will either be redirected to the same IP (zone file with * A 1.2.3.4) or answered with NX record (zonz file with www.abcd.com A 1.2.3.4) So can we redirect only www.abcd.com without any impact on toto.www.abcd.com? > Date: Sat, 24 Apr 2010 15:49:39 -0700 > From: do...@dougbarton.us > To: hugo...@hotmail.com > Subject: Re: one record to be redirected to a specific IP > > On 04/24/10 15:09, hugo hugoo wrote: > > Hello, > > > > thanks for your reaction...but... > > > > if a zone www.abcd.com <http://www.abcd.com/> is configured with the > > record www.abcd.com <http://www.abcd.com/>, what will happen if the > > query is > > toto.www.abcd.com ? > > > > ==> wiil the zone be used and no answer given to the client? > > No, because that's not what you asked for. :) You should be able to > solve that problem by adding the following to the zone file I suggested: > > * A 1.2.3.4 > > If you need more help, please include the list in the reply. > > > hth, > > Doug > > -- > > ... and that's just a little bit of history repeating. > -- Propellerheads > > Improve the effectiveness of your Internet presence with > a domain name makeover! http://SupersetSolutions.com/ > _ Internet Explorer 8: même plus de sécurité avec la nouvelle version. http://www.microsoft.com/belux/fr/windows/internet-explorer/___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
one record to be redirected to a specific IP
Hello all, I plan to use BIND as caching DNS. But I need to could redirect a specific record to a specific IP. How can I do this? This redirection must only be applied for one record. Ex: a query for www.ABCD.com must be answered by the IP I have choosen. The redirection must not be applied on all the domain ABCD.COM Can you help? Can you give an example of config file to do this? Thanks in advance, Hugo, _ Surfez en toute sécurité: téléchargez Internet Explorer 8 http://www.microsoft.com/belux/fr/windows/internet-explorer/___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users